Submit a ticketCall us

Have You Auto Renewed? If not, you're missing out.
The SolarWinds Renewal Program comes with a host of benefits including the most recent product updates, 24/7 technical support, virtual instructor-led training and more. Experience all of this with the convenience of Auto Renewal, and never worry about missing any of these great benefits. Learn More.

Home > Success Center > Database Performance Analyzer (DPA) > Configure DPA to use a custom certificate for SSL/TLS using keytool

Configure DPA to use a custom certificate for SSL/TLS using keytool

Updated February 8, 2017

Overview

By default, DPA 9.2 and later automatically generates a self-signed certificate that is used to establish secure communication over HTTPS. This article describes how to replace the self-signed certificate with a custom certificate using keytool, a Java application.

SolarWinds allows you to configure custom certificates. However, SolarWinds Support does not provide configuration assistance. If you need assistance, please contact the vendor who provided your certificate.

Before you begin, you must contact your administrator to determine the certificates required for your environment.

Environment

  • DPA 9.2 and later

Steps

If you have a Java KeyStore (JKS) file from your administrator, you can rename it to .keystore and skip to step 2. SolarWinds recommends renaming the alias for the server certificate in the keystore file by running the following commands:

Description Command
List all certificates stored in keystore file keytool -list -v -keystore <YOUR_KEYSTORE_FILE>

Identify certificate for your DPA server and use its alias name as <OLD_ALIAS_NAME>

Rename certificate alias <OLD_ALIAS_NAME> to tomcat

keytool -changealias -alias "<OLD_ALIAS_NAME>" -destalias "tomcat" -keypass <CERTIFICATE_KEY_PASSWORD> -keystore <YOUR_KEYSTORE_FILE> -storepass <KEYSTORE_PASSWORD>

Default passwords are changeit.

If you do not have a JKS file from your administrator, follow these steps:

  1. Create a keystore containing the newly generated private/public key pair.
    keytool -genkey -alias tomcat -keyalg RSA -keysize 2048 -keystore .keystore -storepass <KEYSTORE_PASSWORD> -keypass <CERTIFICATE_KEY_PASSWORD> -dname "CN=<HOST_NAME>,O=<ORGANISATION>,L=<LOCATION>,ST=<STATE>,C=<COUNTRY>"
    
    Notes:
    • You can choose the specific domain name (dpa.yourdomain.com) or use a wildcard character (*.yourdomain.com).
    • Default passwords are changeit.

     

  2. Generate a certificate-signing request.
    keytool -certreq -keyalg RSA -alias tomcat -keystore .keystore -file <DPA_CERT_REQUEST_FILE> -storepass <KEYSTORE_PASSWORD>
    
  3. Ask your certificate authority (CA) to sign your request file, <DPA_CERT_REQUEST_FILE>. You should then recieve the file containing a signed certificate from your CA.
  4. Get the files with the trusted certificate chain from your CA.
    • Ensure that every certificate of the chain is in separate file. A file containing more certificates is not supported.
    • Start from the root CA certificate and progress down the chain. Typically this means importing the root CA certificate and one or more intermediate certificates.
  5. Import certificates from the trusted chain into your keystore.
    keytool -import -alias <ALIAS> -keystore .keystore -trustcacerts -storepass <KEYSTORE_PASSWORD> -file <CERTIFICATE_CHAIN_FILE> 
    

    If you receive the following error message, ask your CA where to get these file.

    keytool error: java.lang.Exception: Input not an X.509 certificate => chain certificate has to be in separate files

  6. Import the signed certificate from your CA to your keystore.
    keytool -import -alias tomcat -keystore .keystore -storepass <KEYSTORE_PASSWORD> -file <DPA_SIGNED_CERT_FILE>
    
  7. Place the .keystore file into the <DPA-dir>/iwc/tomcat/conf/ directory.
  8. If you did not use the default password (changeit), edit the server.xml file and add these attributes to the tomcat connector:
    keystorePass=<KEYSTORE_PASSWORD> keyPass=<CERTIFICATE_KEY_PASSWORD>
    
  9. Restart the DPA server.

Troubleshoting

If your browser warns about an insecure connection, show the certificate information in your browser.


NET::ERR_CERT_COMMON_NAME_INVALID, SSL_ERROR_BAD_CERT_DOMAIN

The requested host name does not match the certificate of the server.

Ensure that the certificate CommonName contains host name of the DPA server.


NET::ERR_CERT_AUTHORITY_INVALID, SEC_ERROR_UNKNOWN_ISSUER

The keystore used for import must be the one that was used to generate the CSR.

Use the same keystore file (.keystore) in all steps.

Last modified

Tags

Classifications

Public